Samba as a Domain Controller with OpenLDAP
Samba combined with OpenLDAP can be used to allow PEAP and TTLS authentication with free tools. This provides an alternative to Microsoft's Active Directory for institutions wishing to support PEAP natively under Windows without the use of Secure-W2.
Before getting Started
There are several things to consider before implementing OpenLDAP as the Identity Provider (IdP) for eduroam-US at your institution. The first is that if you already have an existing directory service (AD, LDAP, etc...) then trying to interface Samba with that server will be more difficult than simply implementing a Domain Controller in Samba as is described below. If you happen to be using OpenLDAP as your IdP Samba does provide tools to convert your existing LDAP schema into the format required for it to operate as an PDC. This process should be undertaken with care and is not described within this document.
The first step in the process is to install OpenLDAP. Depending on your underlying platform the specific steps may vary. We recommend the following links for Ubuntu (Debian should be extremely similar) and RedHat Linux distributions. We welcome recommendations for further reference sites to configure other Linux distributions, various BSDs, or other *NIX variants (See the references for several).
Configure Samba as a Primary Domain Controller (PDC)
We assume Samba is installed and configured but not acting as a PDC. Add the following to your smb.conf (generally /etc/samba/smb.conf) to configure Samba as a PDC:
workgroup = institution.edu security = user domain logons = yes domain master = yes #for a secondary (backup PDC) set this to no
To allow Windows machines to join the domain you also need to setup the following
logon path = \\%N\%U\profile logon drive = H: logon home = \\%N\%U logon script = logon.cmd add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
Setup Shares
For Samba to act as a PDC we must also setup various shares including [homes], [netlogon], and [profiles]
[homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %S [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = yes read only = yes share modes = no [profiles] comment = Users profiles path = /srv/samba/profiles guest ok = no browseable = no create mask = 0600 directory mask = 0700
Other useful Samba options may be found in the Domain Control section of the Samba documentation. Some potentially useful options may be found below:
wins support = no #disable WINS (WINS is needed for pre-Win2k machines) unix password sync = yes #keep the UNIX passwords the same pam password change = yes #with the above, use PAM and not a passwd(1) program #Ensure that samba will remain the master browser local master = yes preferred master = yes os level = 33 #disable printing load printers = no printing =
Testing your Configuration
To test your configuration you should use the ntlm_auth(1) tool on the command-line. This tool acts as an intermediary between a domain controller (Samba or ActiveDirectory) and UNIX applications. An example command-line would be: ntlm_auth --domain=INSTITUTION --username=eduroam_tester
- Samba.org's chapter on Domain Control
- Ubuntu Server Guide - The Windows Networking section clearly outlines much of the above, and other features of Samba, for Ubuntu users
- Guide for setting up FreeBSD as a Samba PDC